Efficient access control for wireless sensor data

(1)

Efficient Access Control for Wireless Sensor Data

Alessandro Sorniotti SAP Research and Institut Eur´ecom

805, Docteur Maurice Donat 06250 Mougins, France Email: [email protected]

Refik Molva Institut Eur´ecom 2229, Route des Crˆetes 06560 Valbonne, France Email: [email protected]

Laurent Gomez SAP Research 805, Docteur Maurice Donat

06250 Mougins, France Email: [email protected]

Abstract—Although very developed in many sectors (databases, filesystems), access control schemes are still somewhat elusive when it comes to wireless sensor networks. However, it is clear that many WSN systems – such as healthcare and automotive ones – need a controlled access to data that sensor nodes produce, given its high sensitivity. Enforcing access control in wireless sensor networks is a particularly difficult task due to the limited computational capacity of wireless sensor nodes. In this paper we present a full-fledged access control scheme for wireless sensor data. We enforce access control through data encryption, thus embedding access control in sensor data units. We also propose a lightweight key generation mechanism, based on cryptographic hash functions, that allows for hierarchical key derivation. The suggested protocol only relies on simple operations, does not require interactions between nodes and data consumers and has minimal storage requirements.

I. INTRODUCTION

Wireless Sensor Networks (WSNs) can be seen - in a raw approximation - as sources of input, delivering data from the real world into the digital world. Low cost often arises as a requirement to justify the adoption of WSN technology for particular business scenarios: this results in sensors often being simple devices, with limited computing and transmitting power and limited battery capacity too.

In many WSN scenarios, nodes are required to sense a vast range of different data types: in an elderly-care scenario for instance, ambient sensors sensing room occupancy, tempera- ture, motion, activity and sound are used together with body sensors sensing blood pressure, HRV, galvanic skin response, SpO2, blood glucose rate and so forth [14].

In scenarios such as the healthcare one, the sensed data is often highly sensitive. Moreover, the sensed data often has very different levels of sensitivity: the mere information on the room occupancy of a hospital is not highly sensitive, whereas the ECG of a given patient is indeed very private information, since it could possibly reveal information about the health status of the person.

There can also be several consumers of wireless sensor data, belonging to an heterogeneous population, and having intrinsically different data access rights: within a healthcare scenario, patients, social workers, nurses, relatives, generic physicians and specialists naturally form a hierarchy of entities that are interested in the data delivered by a healthcare WSN.

Data consumers can be therefore conveniently organized in hierarchies. Low levels in the hierarchy can just access data

with low level of sensitivity whilst higher levels can also access more sensitive data.

A problem of hierarchical access control therefore clearly arises. The solution to such a problem is additionally compli- cated by the resource limitation of some WSN installations.

In this paper we present an hierarchical access control scheme for wireless sensor data. Access control is enforced using cryptography: sensors encrypt data prior to its transmission, thus embedding access control right at the source. Thanks to the key generation mechanism, multiple consumers, with different access rights, converge on the same decryption key if their privileges are sufficient. The presented protocol achieves two very desirable goals for WSNs: it does not use complex operations and it does not require any interaction between the different nodes and the different data consumers.

The rest of the paper is organized as follows. Section II states the problem. Section III presents the state of the art in related areas. Our access control scheme is presented in Section IV. Section V analyses the security of the scheme.

Section VI gives conclusions.

II. PROBLEMSTATEMENT ANDAPPROACH

Sensor nodes produce, on a broadcast medium, highly diverse data, which is often very sensitive. Sensors listeners may be numerous, diverse and have different access rights to sensor data. The problem of multiple-resources/multiple-accesses is usually solved using access control. Under a standard access control scenario, entities that wish to benefit from the produced information, have to authenticate themselves, receive a credential, produce the credential to the data source and receive a specialized stream of information that contains just the information the requester received an authorization for. Many solutions exist for this problem [12], however most of them are unsuitable for WSN scenarios, given the technological constraints of the nodes. In addition, nodes produce data in real time, hence the generation of multiple streams is difficult.

Our solution relies on cryptography: right from its production, data is encrypted, and therefore its access is intrinsically restricted. This way, sensors can encrypt data and publish it regardless of the present consumers: the knowledge of the cryptographic key used to encrypt data, belonging to a given level, allows proper decryption – and therefore access – to data belonging to that level. Conversely, it is impossible to access

(2)

encrypted data for consumers who do not have the proper decryption key.

To satisfy the hierarchical requirement, the idea is to map each distinct sensor data type to anauthorization level. Data, whose disclosure does not rise high privacy issues, is mapped to lowauthorization levels. Similarly, highly private data will be mapped to highauthorization levels. The resulting mapping expresses the security preferences of a central access control policy point. The hierarchy of authorization levels is then mapped to keys in a hierarchical structure, whereby low-level keys can be derived from high-level ones.

We model the hierarchy of authorization levels (al) as a tree. al₀ is the root of the tree, and represents the highest level. C(ali) represents the set of children nodes of a given levelali.P(ali)represents the parent node of a given levelali, withP(al0) =∅. We restrict the admissible hierarchies to the ones which can be modeled by trees such that∀ali, ∃!alk : alk =P(ali), i.e. where nodes have just a single parent. We assume that a user who receives access rights toali is able to derive access rights toC(ali),C(C(ali))and so forth, while the converse (i.e. deriving access rights forP(ali)) is not allowed.

In section IV we will detail how we implement such mapping between authorization level tree and cryptographic keys.

The adoption of encryption as a way to enforce access control reduces the problem of granting, denying and revoking access rights to a problem of key management. We assume the presence of a central access control manager (ACM) which – after evaluation of data consumers’ (from now on also referred to as users) credentials – takes care of granting, denying and revoking access rights. Granting a user to a given authorization level means giving her the key to decrypt all data units mapped to that level and to descendant ones. Denying access simply implies not providing the decryption key(s). Finally, revocation of access rights is based on rekeying: changing the keys used at a given point, forces data consumers to re-contact the ACM in order to receive the new keys. Consumers whose access rights have been revoked do not receive the new keys, which accomplishes the revocation. This approach achieves the desirable property of no specific interactions between data producers (the sensor nodes) and data consumers, other than data publishing.

III. RELATEDWORK

The seminal work of Akl and Taylor [1] first proposes a solution for data access control based on cryptography. Access controlled resources (data), users and cryptographic keys are mapped to a hierarchy of classes, represented by a directed acyclic graph. Data belonging to a given class is encrypted with the key associated to that class. The key generation scheme uses the homomorphic properties of modular exponentiation. It assures that a user, who is given the decrypting key of a class, can generate the keys of that class’ descendants, and therefore access data mapped to descendant classes as well. On the contrary, the inverse – generating the key of a parent class – is unfeasible. However, the expensive operations used in the

scheme (modular exponentiation) make this scheme unsuitable for a WSN environment.

In [8], Chien proposes a much lighter key generation scheme, based on one way hash functions instead of modular exponentiation. In addition, the author places a time bound on keys, introducing time periods: during each time period, a new key for each class of data is derived. However, this scheme suffers from a few drawbacks: first of all it requires tamper resistant devices, in order to store secret material used to derive keys. Second, similarly to Akl’s scheme, it is impossible to revoke a user’s access right to a lower class in the hierarchy.

Finally, in [15], Yi showed an attack where, despite the tamper resistance requirement, a coalition of three user can access some secret class keys that they should not know according to Chien’s scheme.

In [13], Tzeng proposes a time-bounded key assignment scheme for hierarchies. The computation of the keys however, involves particularly expensive Lucas function computation.

This scheme is not suitable for resource-constrained WSN nodes due to the particularly expensive operations required for the computation of keys.

In [11], Shehab et al. propose a mechanism to generate and distribute hierarchical keys. Although efficient and very well suited for WSN, this scheme has no time bound on keys, and therefore it is not ready to represent a fully flourished access control solution.

In [2], [3], Atallah and colleagues propose a general and efficient scheme to incorporate time bounds in existing management scheme. In addition, they show how to create a full-fledged hierarchical access control scheme with time capabilities. The scheme is elegant and efficient, relies just on one way hash functions, but – seen from a WSN viewpoint – requires a too elevated amount of public information in order to allow for efficient key derivation.

IV. THESCHEME

In Section II we presented an approach to sensor data access control based on data encryption with an hierarchical key structure, which allows for key derivation of children authorization levels. In this Section we first introduce the cryptographic primitives used to implement the scheme, then the various mechanisms used in the scheme and finally we wrap-up showing how all the pieces come together to form an access control system.

A. Preliminary definitions

Let h : {0,1}ⁿ × {0,1}^∗ → {0,1}ⁿ be a message authentication code (MAC) based on a one-way hash function (OWHF)f. We recall that OWHFs requirepreimage resistance (given a value F ∈ {0,1}ⁿ, it is computationally infeasible to find x such that f(x) = F) and 2nd-preimage resistance (givenx, it is computationally infeasible to findx⁰ such that f(x) = f(x⁰)). h takes as input an n-bit secret value and an arbitrarily long string and produces a pseudo-random n- bit string that strongly depends on both the secret value and

(3)

Fig. 1. Authorization level structure

the string. An example of such function is the well-known HMAC [4].

Using h, we can efficiently associate values to each authorization level, so that the derivation process suits the hierarchical requirement of the scheme. We then use these values to derive the keys used in the scheme. Let us label each of the direct children nodes of a parent node with an incremental index,1 for the leftmost child,2 for the next one and so forth. We refer to the index of a generic node ali as idx(ali). Then, the valuesV(ali)associated to each level can be computed as

V(al_i) =

(V₀, if i= 0;

h(V(P(ali)), idx(ali)), if i6= 0;

whereV₀is a given initial value, whose generation mechanism will be detailed later on in this Section. For example, with reference to the hierarchy in Figure 1,

V(al4) = h(V(P(al₄)), idx(al₄))

= h(V(al1),2)

= h(h(V(P(al₁)), idx(al₁)),2)

= h(h(V(al0),1),2)

= h(h(V0,1),2)

It is straightforward to see how it is easy to derive values for descendant levels from higher ones, whereas the converse is unfeasible thanks to the one-wayness of f.

In order to further explain the scheme, we introduce the encryption scheme used in the system, which is the well- known one-time-pad (OTP) scheme [10]. The efficiency of OTP makes it very suitable for WSN environment. As widely known in literature, one-time-pad is information-theoretically secure as long as the encryption key is never reused twice. We must keep in mind this requirement when we design the key generation mechanism.

B. Key Generation, Distribution and Derivation

Keys for a given authorization levelal_iare derived from the values V(ali). The use of OTP as encryption and decryption mechanism requires to have a different key for each sensor, since the encryption of data belonging to the same authorization level leads to key reuse, which opens the possibility of breaking the encryption scheme with statistical attacks.

A sequence number is also needed to differentiate the keys used by the same sensor node to encrypt multiple data units belonging to the same authorization level, for the same reason mentioned before.

Keys can therefore be computed as

Kal_i,ID,seq =h(V(ali), IDkseq)

whereIDis a univocal numeric identifier for each sensor, and seq is a sequence number, locally maintained at each sensor node.

When a user wants to access sensor data at a given authorization level all, she contacts the ACM, produces her credentials and she is either cleared or refused. We point out that these aspects of the protocol (e.g. details on how to obtain credentials, how to authenticate to the ACM, the policies in use and so forth) are out of the scope of this paper and therefore not addressed in this paper. If she is cleared she receives an access right value. From the latter she will be able to derive all the keys to decrypt data, classified to authorization levell or to its descendants in the hierarchy.

Fig. 2. Derivation of keys

To understand the key derivation mechanism, we refer to Figure 2. Let us assume that a given user is cleared to authorization levelal₁. Then she will receive the valueV(al1).

From that value she can easily derive the keysK_al₁_,ID,seq for allseqandIDin one step computingh(V(al₁), IDkseq). She can also easily compute all the keys for authorization levels that are descendants in the hierarchy. For instance, she can compute the keysKal₃,ID,seq for allseqandIDin two steps, first computingV(al3) =h(V(al1),1)and then computing the key as h(V(al3), IDkseq). The same process can be applied to compute any key which is a descendant of the granted one.

In general, when a user is cleared to authorization leveli, she then receives V(ali)from the ACM.

Figure 3 shows a complete picture of the key generation scheme, which also encompasses the generation of the value V0. In order to do so, let us introduce two counters, c1 and c2, and a secret valueS. Both counters are initialized to one.

S andc1are used to compute S⁰ash(S, c1).S⁰ is updated as c1 increases. Similarly,S⁰ andc2are used to finally compute

(4)

Fig. 3. Complete key generation scheme

V₀ as h(S⁰, c₂).V₀ too is updated asc₂ increases.

The counter c2 is incremented each time the need for revocation arises: each time a user grant needs to be revoked, c2 is increased andV0 is updated. From the updated value, a new set of keys is generated, using the technique introduced earlier on in this section. Previous keys are therefore no longer used for encryption and consequently, keys that were previously used for decryption cannot be used any longer;

hence all the access rights are revoked altogether.

The remaining problem is how to distribute keys to sensor nodes. A simple approach could be the predistribution of the secret value S to each sensor node prior to the deployment of the network. This solution allows a node to generate all the keys of the system. Although very practical, this solution suffer from a security exposure, since by compromising a single node, an attacker would be able to decrypt all data.

This problem could be solved by requiring nodes to be tamper- resistant; however this requirement clashes with the economic constraints of sensor nodes. On the other hand, distributing the updated values ofV0 to sensor nodes as access grants are revoked, would result in excessive transmission overhead.

As a good tradeoff, nodes are instead given the intermediate values of S⁰ (see Figure 3). This way, we allow sensors to update the value ofV₀ across multiple revocation phases, yet, if ever a node is compromised, the ACM simply increments c1 and computes a new S⁰, which is transmitted to non- compromised sensors using a reliable, confidential, authenticated broadcast scheme [9], [7].

C. Putting it All Together

At system startup, the ACM assigns a random secret value to S and sets c1 and c2 to one. Then it creates a mapping of each of the data types sensed by sensors into authorization levels, and installs this mapping onto each sensor. Finally, the valueS⁰ =h(S, c1)is broadcasted to each sensor on a secure channel, along with the initial value of c2.

Each sensor has a numeric identifier ID that univocally identifies it in the sensor population. Each sensor also has a counterseqwhich is initialized to zero. Upon sensing a value v, a sensor derives its associated authorization level, say,al_x, generates the proper encryption keyK_al_x_,ID,seq using itsID and the current value ofseqand broadcasts

{Kalx,ID,seq⊕v, al_x, ID, seq, c₂} (1) It then increments seq and sets itself ready to sense another value.

When a user joins the system, it contacts the ACM and performs the authentication/authorization process, at the end of which she might be cleared to an authorization level. Let us assume that the granted level isal_g. She is then givenV(al_g), computed with the value ofc₁ andc₂currently in use. She is also given the valuec2.

Upon receiving sensor data as in 1, a user first checks if the receivedc2 is equal to the held one. If so, she then checks if alx is equal to, or a child authorization level of, the granted level alg (alg alx). If so, then she uses the key derivation procedure to compute the key and decrypt the value. If c2 is different, she contacts again the ACM to refresh its grant.

Finally, if alg 6 alx, she simply does not have sufficient privileges to access data belonging to that class.

If the ACM needs to revoke the access rights of a user, it broadcasts – through an authenticated and reliable channel – a command to force each sensor to increment c₂ and update V₀ accordingly. Keys are therefore re-computed from the new value ofV₀: this results in an immediate access rights revocation for all users. Users are therefore forced to re-contact the ACM to get the new access right valuesV(al_i). Naturally, a user whose grants are to be revoked will not succeed in this operation, thus effectively having its access rights revoked.

If a node is compromised, the ACM incrementsc1 andc2, and broadcasts to all non-compromised sensors, on a secure channel, the updated value S⁰ = h(S, c1) along with the command to force each sensor to incrementc2. Sensors update V0using the new value ofS⁰ freshly received from the ACM, and the incremented c2. Thus, the compromised sensor(s) holds an outdated V0, whose exposure to an attacker is not a concern. We point out that – from a user’s perspective – this process is undistinguishable from a normal revocation:

users just witness an incremented value ofc₂and are therefore forced to re-contact the ACM to get new access right values.

V. SCHEMEANALYSIS

In this section we firstly evaluate the security of the scheme.

First of all it is clear that an outsider, with only publicly known information available, cannot generate a valid key, since every key depends on the secret valueS. S is never disclosed, and therefore an outsider has no chance to get it and use it to generate a valid key.

Any coalition of users cannot escalate their privileges or, similarly, for every coalition, the highest attainable class is the highest granted one either. This claim easily follows from the choice of a secure message authentication code such

(5)

as [4] which does not allow existential forgery under chosen- plaintext attacks. This property translates into the impossibility – from V(al_i)– to forge ∀ V(alj) :al_j ∈ C(P(ali)) i.e. the value of any of the direct siblings of al_i. The one wayness of f in turn, protects us from the derivation of the value of the parent nodeV(P(al_i))fromV(al_i). It is straightforward to see how these two assurances together lead to the impossibility of privilege escalation.

As far as the strength of the encryption mechanism is concerned, it is well known that the one-time pad algorithm assures semantic security if the encryption keys are randomly chosen and never re-used. We have shown that no two sensor data can be encrypted with the same key. Therefore, since keys are never reused, the only possibility for a statistical attack is some correlation between different keys. However, with the choice of a strong hash function for f, all the keys are pseudo-random and the correlation between them is so small as to discourage any statistical attack. In addition, it is possible to reduce the encryption scheme tod⊕h(K, counter) where d is the cleartext value and K is a secret value. If we model h as a random oracle [6], it is easy to see that the encryption scheme is equivalent to the well known CTR encryption scheme, introduced in [5], which exhibits strong security properties.

It is clear that, the encryption scheme used in the system being a symmetric one, malicious users can inject encrypted data in the system and have honest consumers decrypt it as if it were a legitimate data unit. However the data origin authentication problem is not addressed here since this is an access control scheme that deals just with confidentiality and authorization.

Public storage mapping

Required storage on sensor nodes seq,ID,c2,S⁰ Required storage on users V(al_i),c2

Key derivation O(n)hash operations

Encryption/Decryption 1 hash + 1 xor

c2 rekeying update message

c1 andc2 rekeying update message +S⁰ TABLE I

CONSIDERATIONS ON THE PERFORMANCES OF THE SCHEME

As for the performances of the scheme, we can see in Table I that the proposed scheme achieves remarkable results.

The required public storage only amounts to the mapping of data types to authorization levels, which is a data structure representing – for instance – the tree in Figure 1; sensor nodes have to store two counters (c1 and c2), their numeric identifier and the current value S⁰, whereas users are just required to store one counter (c₁) and the access right value V(al_i)for a given granted classac_i. Looking and the number of operations, we can see that to derive a key, users and nodes require an average of O(n) hash computations, where n is the depth of the tree of the authorization levels. We underline that this operation is just performed once to derive V(alj) from the access right value V(ali), ∀alj : ali ≺alj. After the derivation, encryption and decryption are performed with one single hash evaluation to derive the key and a single xor

operation to perform OTP. Finally, the two different types of rekeying, the one that involves the increment of c₁ (in turn, of bothc₁andc₂), just requires one message to orders sensor nodes to increment c₁ (in turn, one message to order sensor nodes to incrementc₁plus the secure broadcast of the updated S⁰).

VI. CONCLUSION

We have presented an hierarchical access control scheme for wireless sensor networks. The scheme relies upon data encryption in order to protect data access from the moment of its production. A lightweight key derivation protocol – solely based on the computation of message authentication codes (MACs) – achieves hierarchical derivation of keys: users having sufficient, yet possibly different, access rights, can derive the same decryption key. The protocol supports easy revocation of access rights through rekeying, which can be performed seamlessly at each sensor. The intervention of the access control module is just required upon detection of a compromised node.

REFERENCES

[1] S. G. Akl and P. D. Taylor. Cryptographic solution to a problem of access control in a hierarchy.ACM Trans. Comput. Syst., 1(3):239–248, 1983.

[2] M. J. Atallah, M. Blanton, and K. B. Frikken. Incorporating temporal capabilities in existing key management schemes. InESORICS, pages 515–530, 2007.

[3] M. J. Atallah, M. Blanton, and K. B. Frikken. Incorporating temporal capabilities in existing key management schemes. Cryptology ePrint Archive, Report 2007/245, 2007.

[4] M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. InCRYPTO, pages 1–15, 1996.

[5] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. A concrete security treatment of symmetric encryption. InFOCS ’97: Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS

’97), page 394, Washington, DC, USA, 1997. IEEE Computer Society.

[6] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. InACM Conference on Computer and Communications Security, pages 62–73, 1993.

[7] S.-M. Chang, S. Shieh, W. W. Lin, and C.-M. Hsieh. An efficient broadcast authentication scheme in wireless sensor networks. InASIACCS ’06:

Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pages 311–320, New York, NY, USA, 2006.

ACM.

[8] M.-H.-Y. Chien. Efficient time-bound hierarchical key assignment scheme. IEEE Transactions on Knowledge and Data Engineering, 16(10):1301–1304, 2004.

[9] A. Fiat and M. Naor. Broadcast encryption. InCRYPTO, pages 480–491, 1993.

[10] J.-O. Mauborgne and G. Vernam. One time pad scheme. at http://en.wikipedia.org/wiki/One-time pad.

[11] M. Shehab, E. Bertino, and A. Ghafoor. Efficient hierarchical key generation and key diffusion for sensor networks. InSecond Annual IEEE Communications Society Conference on Sensor and AdHoc Com- munications and Networks, 2005.

[12] W. Tolone, G.-J. Ahn, T. Pai, and S.-P. Hong. Access control in collaborative systems. ACM Comput. Surv., 37(1):29–41, 2005.

[13] W. G. Tzeng. A time-bound cryptographic key assignment scheme for access control in a hierarchy. IEEE Transactions on Knowledge and Data Engineering, 14(1):182–188, 2002.

[14] Wasp Consortium. D6.2-II Elderly Care Application: In-depth scenarios and use cases. http://www.wasp-project.org/, 2007.

[15] X. Yi. Security of chien’s efficient time-bound hierarchical key assignment scheme.IEEE Transactions on Knowledge and Data Engineering, 17(9):1298–1299, 2005.